cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2434
Views
15
Helpful
5
Replies

IPSK without MAC address

Emiliano Luca
Level 1
Level 1

I would like to use IPSK  and I undestrood it works like this:

-I will configure one only common SSID
-user who will connect to IPSK_SSID and use PSK_123   will be connected to VLAN  123
-user who will connect to IPSK_SSID and use PSK_456   will be connected to VLAN  456

-user who will connect to IPSK_SSID and use PSK_789   will be connected to VLAN  789

And this will be great.

 

What is not clear to me is: before any user will be able to use PSK_XXX  do  I need to know  his  MAC address?

Is it really mandatory to know their mac address   before they will be able to connect to the IPSK  SSID ?

Is there any way to bypass this with a wildcard that acceprt any mac and checks only  PSK  to decide to admit or not the clients?
My goal is to admit all clients that have the correct PSK   because (for many reasons)  I'm not able to produce a coplete database of all mac address they have now and particularly I'm not able to foresee what mac they will have in the future. 


Thank you in advance for your help

5 Replies 5

Hi

 Yes, you do. There´s no wild card for mac address as it can change significantly according with the vendor.

 

This link below will drive you very very well on this configuration, including RADIUS. 

https://ripplesinharmony.wordpress.com/2019/03/11/implementing-cisco-ipsk-with-ise/

 

-If I helped you somehow, please, rate it as useful.-

Haydn Andrews
VIP Alumni
VIP Alumni

Correct you need to add their MAC addresses to your RADIUS server before they can connect. No wildcards unfortunately.

Keep an eye out as Cisco was talking about releasing something around on boarding IOT devices for this use case to save having to manually adding every MAC address. This was mentioned at MFD4

 

 

 

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

igaffine
Level 1
Level 1

Hi Community,

 

Just wanted to get an update on this topic in case changes have occurred in later ISE versions. As with the original poster of this topic, I have a similar situation where a customer would like to rationalise a number of PSK services using iPSK, however, they don't have a complete list of devices & MAC addresses as these are 3rd systems that come on the network as and when. 

 

Ideally if iPSK would allow any MAC address to connect as long as they had the valid PSK, then this would tick the box. I have seen the onboarding iPSK portal with iPSK Manager, which looks really good, but does not fit my customer requirement this time. The customer could look to run reports on the clients connecting to the wireless services via Prime Infrastructure and capture the MAC addresses over time, but this could take time too.

 

Alternatively, is it possible to allow ISE with iPSK Manager to allow any MAC address to connect as long as it has the valid PSK, and then perhaps iPSK Manager then registers that MAC for future connections.

 

Unfortunately I am after an onboarding process without the need for the client or the customer to onboard their devices

 

Kind regards,

 

Ian

You can just create a catch all rule for end devices that are in the default endpoint group. This way you allow the devices and also capture the device mac address.
-Scott
*** Please rate helpful posts ***

Hi Scott, Thanks for your reply. Is that default group in iPSK Manager? My example would be migrating three SSIDs for three different 3rd parties, each having different PSKs. We would create one SSID with iPSK, and then tell the 3rd parties to connect to that with their old PSK information. Therefore this catch all could see clients connecting with three different PSKs. Would that work?

 

Alternatively, we would give them a new PSK and then tell them to use the iPSK onboarding process. But ideally we are looking at a way of doing this without iPSK Manager, as the customer is not comfortable with an unsupported platform.

 

Am I correct in assuming that wildcard MACs are still not allowed on ISE (as per Haydn's response)?

 

Any news on whether iPSK Manager is being integrated into ISE?

 

KR, Ian

Review Cisco Networking for a $25 gift card